MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88d5500916ded187f8d33b6e16f29db7388374f977ad11d39733613085189d27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88d5500916ded187f8d33b6e16f29db7388374f977ad11d39733613085189d27
SHA3-384 hash: ea8d96c518a2844947a021a3be2dc2113e96f54a8a9f2f1d485e47ec9651496015eebcbdb60d006660075a9c2e03b737
SHA1 hash: 9da66a7c4c5f50ba28e07cf065d7d94f992222ae
MD5 hash: 1b87f0c2f15d12fd8b4cc970645d45f7
humanhash: nevada-pizza-cup-spring
File name:Swift MT103_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:770'048 bytes
First seen:2020-08-12 18:31:08 UTC
Last seen:2020-08-12 20:01:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:WfEOEpqVWYKT9r3L03+l03+2LwezPxLf9uSHfAmDq3jrbq2VZK83kG47JZ2z:POEp4q03+l03+2LLbxjDYmDCjHNGe74+
Threatray 11'295 similar samples on MalwareBazaar
TLSH A3F4C02433A59837D27A7A35C967551407BBBC93363EC70E5ACD73CED8203AD4E106AA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: secureserver.8verhost.com
Sending IP: 104.247.74.28
From: accounts@pdgproperty.com
Subject: RE: Order # SP2019-001 Payment Document
Attachment: Swift MT103_PDF.iso (contains "Swift MT103_PDF.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44431/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.11341.14003.13551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/423642
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88d5500916ded187f8d33b6e16f29db7388374f977ad11d39733613085189d27/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 18:33:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rdkvaciw33iyp6gthnxbn4u5w44ig5hzo6wrdu4xgnqtbbiytutq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
295fcf9d436999a321ff1c4efc6a0191e1efe3d68becd3d9d9965a64f540b0f0
AgentTesla
383afa9b82f107b9f040868f783c06115083de21eb8caa8a744a68c92782acae
AgentTesla
6edf56bf042ac4f2cf12f3dcdd5704e71ddeee943463706513ba51123209bc6f
AgentTesla
86fb079125f93834e6dc2f5ef86c61c36f6a9dbae5338a42341f75bf329b06bf
AgentTesla
a5bc29d5e6f55ba05f61fff45175d9864ee0b311ad45baf0cfd65c74666da14c
AgentTesla
a85526e4a0f78afd83f57f2d084c0bd4b82846a06a0aef80c473905561dcfb60
AgentTesla
b1135688496020eb3e075121b22fb9c726c6021068ce415be82d8e48540dc563
AgentTesla
b3cbf1f12ae225e86e853b5a9c100248eac70557eaffff26020cdc9d165f3ff9
AgentTesla
d0d7da6edab70ca763cd813715907daeaafb8f0245a55cf4074446bb218dfd6f
AgentTesla
d4224f6f5b734de53a5a7e5f5675b05f9a808deb058e64d00859146f8255594c
AgentTesla
+ 11'285 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200812-7neerg4xsa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88d5500916ded187f8d33b6e16f29db7388374f977ad11d39733613085189d27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:RSharedStrings
Create hunting rule
Author:Katie Kleemola
Description:identifiers for remote and gmremote
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso a0f41efef4f98cfea2ed0df11750985e1a0715c2e119d45f1e56412d6b8a87c3

AgentTesla

Executable exe 88d5500916ded187f8d33b6e16f29db7388374f977ad11d39733613085189d27

(this sample)

  
Dropped by
MD5 e031a7baed8301a69b44a2a44dc021d5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44431/
  
Dropped by
SHA256 a0f41efef4f98cfea2ed0df11750985e1a0715c2e119d45f1e56412d6b8a87c3

Comments